6

I have an application that authenticates against a third party web service by sending a username and password. At the moment I'm typing the password on a winform each time I start the application - but I need it to login automatically.

I'd like to store the username/password somewhat more securely than

Dim username as String = "username"
Dim password as String = "password"

I understand that I probably won't stop a determined hacker with access to my source code, but storing them as plaintext feels wrong.

I've found some similar questions on here but none that provide me with an answer I can use.

Edit: The web service isn't mine, it's an API that requires me to login to use.

Flash
  • 15,945
  • 13
  • 70
  • 98
  • I have a similar issue with my Android app calling a web service. I encrypt the string locally and decrypt on the web server - I'd like to know of any other ways too. – Ricky Apr 27 '11 at 15:39
  • Is the web service one you control? If so, it seems like the proper solution is to provide a narrower interface to the web service that only allows clients to do whatever your application does. – Max Strini Apr 27 '11 at 15:44
  • @Max I have no control over it. Its just an API that I'm using. – Flash Apr 27 '11 at 15:48
  • 1
    I deleted my answer. Sorry about that; I should have read the question a little more carefully. – Dave Apr 27 '11 at 15:48

1 Answers1

4

For client-side Windows apps there is a ProtectedData class, which

...provides protection using the user or machine credentials to encrypt or decrypt data

So as long as user's profile is safe, so are data items protected with this class. However, if user's password is reset (not changed by user himself), all data is effectively lost.

Anton Gogolev
  • 113,561
  • 39
  • 200
  • 288
  • Thanks, this looks promising. If I reset my password or moved the code to a different machine, I'd just have to recreate the file that stores the encrypted password correct? – Flash Apr 27 '11 at 16:02